The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".

Friday, February 19, 2016

Links

Plugin Update
Thanks to input (and a couple of hives) from two co-workers yesterday, I was able to update the appcompatcache.plRegRipper plugin to work correctly with Windows 10 systems. In one case, the hive I was testing was reportedly from a Surface tablet.

Last year, Eric documented the changes to that he'd observed in the structure format from Windows 10; they appear to similar to Windows 8.1.

Something interesting that I ran across was similar to the last two images in Eric's blog post; specifically, the odd entries that appeared similar in format to (will appear wrapped):

If you look closely at the entries in the images from Eric's blog, you'll see that the time stamp reads "12/31/1600 5:00:00pm -0700". Looking at the raw data for one of the examples I had available indicated that the 64-bit time stamp was "00 09 00 00 00 00 00 00". The entry at the offset should be a 64-bit FILETIME object, but for some reason with the oddly-formatted entries, what should be the time stamp field is...something else. Eric's post is from April 2015 (almost a year ago) and as yet, there doesn't appear to have been any additional research conducted as to what these entries refer to.

For the appcompatcache.pl plugin, the time stamp is not included in the output if it's essentially 0. For the appcompatcache_tln.pl plugin, the "0" time stamp value is still be included in TLN output, so you'll likely have a few entries clustered at 1 Jan 1970.

This tool, PECapture (runs as a GUI or a service), captures a copy of the executable, as well as the execution time stamp and a hash.

I have to say that as much as I think this is a great idea, it doesn't appear to capture the full command line, which I've found to be very valuable. Let's say an adversary is staging the data that was found for exfil, and uses a tool like WinRAR; capturing the command line would also allow you to capture the password they use. In a situation like that, I don't need a copy of rar.exe (or whatever it's been named to...), but I do need the full command line.

I think that for the time being, I'll continue using Sysmon, but I add that if you're doing malware testing, having both Sysmon and PECapture running on your test system might be a very good idea. One of the things that some malware will do is run intermediate, non-native executables, which are then deleted after use, so having the ability to capture a copy of the executable would be very useful.

I do think that it's interesting that this tool is yet another does part of what Carbon Black does...

Yet Another "From the Trenches"
I had to dig back further into the vault for one of my first "consulting" gigs...

Years and years ago (I should've started, "Once, in a galaxy far, far away...."), while I was still on active duty, I applied for and was able to attend the Naval Postgraduate School. While preparing to conduct testing and data collection for my master's thesis, I set up a small network in an unused room; the network consisted of a 10-Base2 network (server, two workstations) connected to a 10-BaseT network (server, 2 workstations), connected to Cisco routers, and the entire thing was connected to the campus 10-Base5 backbone via a "vampire" tap. The network servers were Windows NT 3.51, and the workstations were all Windows 95, running on older systems that I'd repurposed; I had spent considerable time searching the MS KnowledgeBase, just to get information on how to set up Win95 on most of the systems.

For me, the value of setting up this network was what I learned. If you looked at the curriculum for the school at the time, you could find six classes on "networking", spread across three departments...none of which actually taught students to set up a network. So for me, this was invaluable experience.

While I was processing out of the military, I spent eight months just hanging around the Marine Detachment at DLI. I was just a "floater" officer, and spent most of my time just making the Marines nervous. However, I did end up with a task...the Marine Commandant, Gen Krulak, had made the statement that Marines were authorized to play "Marine DOOM", which was essentially a Marine-specific WAD for DOOM. So, in the spring of '97, the Marine Det had purchased six Gateway computer systems, and had them linked together via a 10BaseT network (the game ran on a network protocol called "IPX"). The systems were all set up on a circular credenza-type desk, with six individual stations separated by partitions. I'd come back from exercising during lunch and see half a dozen Marines enthusiastically playing the game.

At one point, we had a Staff Sergeant in the detachment...I'm not sure why he was there, as he didn't seem to be assigned to a language class, but being a typical Marine SSgt, he began looking for an office to make his own. He settled on the game room, and in order to make the space a bit more usable, decided to separate the credenza-desk in half, and then turn the flat of each half against the opposite wall. So the SSgt got a bunch of Marines (what we call a "workin' party") and went about disassembling the small six-station LAN, separating the credenza and turning things around. They were just about done when I happened to walk by the doorway, and I popped my head in just to see how things were going. The SSgt caught my eye, and came over...they were trying to set the LAN back up again, and it wasn't working. The SSgt was very enthusiastic, as apparently they were almost done, and getting the LAN working again was the final task. So putting on my desktop support hat, I listened to the SSgt explain how they'd carefully disassembled and then re-assembled it EXACTLY as it had been before. I didn't add the emphasis with the word "exactly"...the SSgt had become much more enthusiastic at that word.

So I began looking at the backs of the computer systems nearest to me, and sure enough all of the systems had been connected. When I got to the system that was as the "end", I noticed that the coax cable had been run directly into the connector for the network card. I knew enough about networking and Marines that I had an idea of what was going on...and sure enough, when I moved the keyboard aside, I saw the t-connector and 50 ohm terminator sitting there. To verify the condition of the network, I asked the SSgt to try the command to test the network, and he verified that there was "no joy". I was reaching down into one of the credenza stations, behind the computer and no one could see what I was doing...I quickly connected the terminator to the t-connector, connected it to the jack on the NIC, and then reconnected the coax cable. I told the SSgt to try again, and was almost immediately informed (by the Marine's shouts) that things were working again. The SSgt came running over to ask me what I'd done.

What are your thoughts regarding the use of process creation monitoring tools? How about the benefits of PECapture over something like Sysmon or MS audit configuration settings?

... old days of terminators...

Yeah, I'm not seeing a great deal of interest in the "From the trenches" stuff. I try to find out more about what folks want to see, but since I don't get much in the way of feedback (at least, not stuff that I can actually achieve...), I'm kind of floundering around for content...

HarlanThe trench stories are fun and if I am not mistaken you have one or two in one of the editions of WFAT. I enjoyed them especially the last one, while I do not have actual experience with terminators it made me recall a diagram in one of my networking books for one of my old college classes that I had to lookup so thanks for that :)

I find carbon black to be the best as an endpoint monitoring tool due to the telemetry it collects and how the data is represented. PEcapture is interesting, I will have to check it out.

Hi Harlan, actually, I want to write a thesis paper about Sysmon. I would love to discuss this with you offline. I am in process of getting it approved right now.

As for old war stories... I dunno, the Young people these days.. ;)I think your comment is shared by many other skilled and hardworking people who take the time to share their experiences. I am not sure what the answer is here to be honest. For the main fact that we all come to the table from a variety of situations and our needs / interests are not all the same ? Just my guess :)

Maybe I'm only speaking for myself, but I do enjoy the in the trenches stories. Even if only for providing some insight and background on yourself. Generally there is a bit of wisdom or humor in them that we, some of us at least, can relate to. Keep it up!